5 Steps for implementing a BYOD identity governance solution

BYOD access provisioning.

I began writing about technology systems at the dawn of the handheld era. The first time I ever wrote about the use of a mobile device in the workplace was in regard to an unwieldy piece of hardware with a monochromatic screen used by nurses for bedside documentation of patients’ vital signs and medication records.

It didn’t take long, however, for mobile devices to grow, both in use and in the types of devices used. Pretty soon, physicians were using mobile devices loaded with pharmaceutical journals and other information. Bedside documentation increased and pretty soon only the “older” clinicians who practiced medicine “the old fashioned way” were without the use of a handheld on their rounds.

But in the early days of mobile device usage in the medical practice, most of the devices — like in so many other industries — were issued by the medical group that employed the doctor or nurse. Today, most clinicians armed with mobile devices are participants in the growing trend of “Bring Your Own Device” — better known as BYOD.

The healthcare system is at the top of the list of industries where user access provisioning is a paramount concern. That’s why as personal devices become ever more prevalent within healthcare organizations, the need increases exponentially to offer password self-service and manage the user provisioning process along with the devices used to access patient data.

Recently, Eric Mueller, services president of the healthcare consulting firm WPC, issued a call-to-arms of sorts as he urged that the “Time to Address BYOD is Running Out.” He cautions:

“Given that the FDA has indicated for any app that turns a mobile device — iOS, Android, BlackBerry, Windows — into a diagnostic medical device, every hospital and health system must address BYOD, and the sooner the better. Unless proactive provider leadership renders guidance, employees will continue to bring in devices and to use them however they see fit.”

He adds that it is imperative for healthcare organizations to implement mobile device strategies that determine how and what type of devices should be used. After those steps he believes a user provisioning process and IT cyber security policy should be implemented.

The only problem with Mueller’s assessment is that a larger percentage of medical professionals are already accessing patient data with their own mobile devices. Rather than how or what devices can be used, healthcare organizations need to jump right to access provisioning or “who can access what” in order to mitigate current cyber security threats.

This is true not only for the healthcare field, but also for most industries. BYOD is here. Organizations need to jump right to identity and access management (IAM) solutions that use automation and rules engines to eradicate group management risks and access certification issues.

Steps for implementing an identity access provisioning solution for BYOD would be:

User Access Provisioning: identify which employees have the appropriate access for their positions and what files they are authorized to access

Establish Real-Time Revoke of Access: just as important as the ability to grant rights is the ability to revoke them. This keeps access certification as a closed-loop process and allows organizations to revoke functionalities from previously authorized users, while ensuring the process is fully integrated within the identity and access management system

Automated User Provisioning and automatic group management: dynamically ensure access risk is under control through the implementation of defined data points and rules engines that leverage business data and rules exceptions to delegate and rescind privileges

Institute Data-Driven Membership: as often as necessary, enable active directory group management automatically by granting membership according to employee attributes, end-user account property values found in directories and even Web service feeds

Test the Rules: consistently and repeatedly check rule based group managementto ensure accesses are still appropriate, while also viewing identity matches including missing, removed, new members, and exceptions for possible errors in determinations.

Implementing identity and access management in this manner will ensure BYOD employees only access the data for which they have authorization… it will also mitigate the risk and ensure that the company with BYOD doesn’t wind up SOL.

To learn more about Avatier’s ITIL service catalog solutions watch the Gwinnett Medical Center Customer Testimonial:

Get Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Gary Thompson is a 35 year veteran of the PR industry. He was the president of Shandwick International, the world’s largest agency with 2000 people in 90 offices and 32 countries. A million mile flyer on both American and United, he got off the road at the “encouragement” of his wife. Four years ago, he founded his own firm, Clarity Communications, which counts Avatier as one its most successful clients.